Attack of the malicious document – what was old is new again

Recent zero day attacks targeting Windows using malicious Office documents should be a reminder to all of us that no attack vector ever truly dies, it just lurks in the background waiting for it’s time to come again. Malicious Office documents have not been a popular attack vector for several years, but it seems that what’s old is new again.

The recent crop of attacks seen in the wild use Word, PowerPoint and other Office documents to exploit serious vulnerabilities discovered in numerous versions of Windows. These attacks were targeted at major corporations and at least one attack compromised the Windows kernel. This is particularly concerning as kernel exploits can put the attacker in full control of the system and bypass all known forms of defense, including AV, sandboxes and behavioral blocking solutions.

The industry often seems to be distracted by “bright shiny objects” that are in the headlines and that are actively being exploited. That is no excuse however to neglect vectors that have been succesfully used in the past but that for whatever reason have lost favor for a period of time. Attackers are supremely adaptable and will focus on any vector that is vulnerable, particularly areas where defenders have been lulled into a false sense of security.

These document based attacks illustrate the point again that detection based strategies are no longer effective in providing the level of protection needed in the digital world we all operate in today. ANY digitial information that a user interacts with from the outside world holds the potential for attacking and compromising a system whether it has been recently known to deliver attacks or not. The only rational approach is to treat ALL information as if it is malicious.

The Bromium approach to isolation provides protection from just these types of kernel attacks. The Bromium Microvisor seperates security from the operating system or the media being protected. Bromium uses the security features built into modern hardware platforms to isolate attacks originating from the web, whether from downloaded documents or malicious web servers. Even sophisticated zero day attacks are defeated without any actions from either the user or the IT group.

According to Forrester Research Microsoft Office still dominates the enterprise productivity suite market. Bromium customers running the MS Office platform, inlcuding Office 2013 were protected against the new zero day attacks before the these attacks were ever developed or deployed. This type of new approach to the entire cyber security problem is what the industry, and vulnerable customers have been waiting for.